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Abstract 

In their seminal work on authentication, Wegman and Carter pro- 
pose that to authenticate multiple messages, it is sufficient to reuse the 
same hash function as long as each tag is encrypted with a one-time 
pad. They argue that because the one-time pad is perfectly hiding, the 
hash function used remains completely unknown to the adversary. 

Since their proof is not composable, we revisit it using a universally 
composable framework. It turns out that the above argument is insuf- 
ficient: information about the hash function is in fact leaked in every 
round to the adversary, and after a bounded finite amount of rounds 
it is completely known. We show however that this leak is very small, 
and Wegman and Carter's protocol is still e-secure, if e-almost strongly 
universal2 hash functions are used. 

This implies that the secret key corresponding to the choice of 
hash function can be recycled for any task without any additional 
error than this e. For example, if all the messages from many rounds 
of quantum key distribution are authenticated in this way, the error 
increases linearly in the number of rounds. 



1 Introduction 

If a player, say, Bob, receives a message x that claims to come from Alice, 
he might wish to know if this is true, or if the message was generated or 
modified by some adversary. This task is called authentication, and in their 
seminal work [T], Wegman and Carter showed that it can be achieved by 
appending a tag t to the message (often called a message authentication 
code or MAC), where t = hk{x), {/ifcjfcex: is a family of almost strongly 
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universal2 (ASU2) hash functionq^, and A; is a secret key shared by Ahce 
and Bob. 

There exist ASU2 famihes that require roughly 21oglog|r^| + 31og|T| 
bits of shared secret key [3] , where X is the message alphabet and T the tag 
alphabet. Wegman and Carter [1] propose a scheme to use even less bits 
of key when multiple messages are to be authenticated: each tag should be 
encrypted with a fresh one-time pad (OTP), but the same hash function can 
be used each time. Alice thus appends the tag ti = hk^{xi) © k\ to her i"^ 
message Xj, where ki is used for all messages and k\ is a fresh key used only 
in this round. Asymptotically this scheme consumes only log \T\ bits of key 
per round. 

To prove the security of this scheme, Wegman and Carter show that 
given any amount of message-tag pairs (x2,t2), • • • , the secret key 

k\ is still perfectly uniform. They then argue that the probability of an 
adversary successfully falsifying any new message is the same as for the first 
message, which is guaranteed to be small by the properties of the ASU2 hash 
functions. Many works reuse this scheme and sketch the proof in a similar 
way, e.g., gHZ]. 

However, proving that a protocol is secure in a stand-alone model does 
not necessarily guarantee that it is still secure when combined with other 
protocols, not even when combined with itself like Wegman and Carter's 
scheme. A lot of research has gone into composability of cryptographic 
tasks in recent years. A general framework for proving composable security 
was developed by Canetti [SjiOj, and dubbed Universally Composable (UC) 
security. Independently, Backes, Pfitzmann and Waidner [lOpilj introduced 
the equivalent notion of Reactive Simulatability. These security notions have 
been extended to the quantum setting by Ben-Or and Mayers [T2] and Un- 
ruh |131ll4j. Composable security for key recycling in authentication has 
been studied in the case of quantum messages by Hayden, Leung and May- 
ers [15], but to the best of our knowledge has not been treated when the 
messages are classical. 

An essential application of information-theoretic authentication is in 
quantum key distribution (QKD) protocols!! Every (classical) message ex- 
changed between the two parties generating the key needs to be authenti- 
cated with information-theoretic security in order to guarantee the overall 
unconditional security of the protocol. Recycling the hash function is a 
practical way to save a large part of the secret key consumed in each round. 
And as Wegman and Carter's security proof does not fit in any composable 
security framework, this raises the question of whether this application is 
still secure. Some works, e.g., [I71[T5], attempt to study this problem by 

^ASU2 hashing was only formaUy defined later by Stinson [5]. A family of functions is 
said to be ASU2 if any two different messages are almost uniformly mapped to all pairs 
of tags. An exact definition is given in lDefinition 3.ll on |page~7| 

^We refer to textbooks such as JJj for a general overview of QKD. 
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analyzing the security of authentication when the secret keys used are not 
perfect. Abidin and Larsson [18] suggest that when QKD and authentica- 
tion are combined recursively, and the (imperfect) secret key resulting from 
QKD is fed back into the next round of authentication and QKD, the total 
error rate could increase exponentially in the number of rounds. 



New results. We therefore study Wegman and Carter's authentication 
scheme with key recycling [1] using the UC framework from [9j|l We show 
that the hash function is gradually leaked to the adversary, even when the 
key used for the OTP is perfect. This leakage is however very small: we 
prove that this scheme is indeed e-UC-secure if the hash functions used are 
e-ASU2. 

In fact, we use almost XOR universal2 (AXU2) hash function^, which 
are slightly weaker than ASU2 functions. We show that the recycled key is 
close to perfectly uniform and independent from all other random variables 
produced throughout the protocol. This means that the recycled key can 
be reused for any task, not only for subsequent rounds of authentication. 

An immediate consequence of this and the composition theorem [9] i^ 
that if this authentication scheme is used £ times in each round of an e'-UC- 
secure QKD protocol, which is run r times, recycling the same hash function 
throughout, the final key has distance at most r{i£ + e') from uniform. 



Structure of this paper. In [Section "21 we introduce the elements from 
the UC framework that we need in this work. We briefly define the security 
notion and state the universal composition theorem. In [Section "31 we first 
model the UC security for standard authentication without recycling. In 
ISection "41 we then model authentication with key recycling, and prove that 
using e-AXU2 hash functions and a OTP results in a scheme which is e- 
UC-secure. In ISection "51 we take a closer look at the secret key which is 
leaked to the environment, and show that an optimal attack over i rounds of 
authentication which takes advantage of this key leakage has error exactly ie. 
And finally in ISection 61 we illustrate the composition theorem by applying 
it to the case of many rounds of authentication with key recycling and QKD. 



In Appendix A we give a proof of security of standard authentication. 



as defined in ISection "31 And in Appendix B we give some more details on 
impersonation attacks. 



^Even though we ultimately wish to show that this protocol is composable in a quantum 
world, it is sufficient to consider classical UC security, since Unruh's lifting theorem |14) 
proves that classical UC security of a classical scheme implies quantum UC security. 

^See lDefinition CT1 on |page 9| for an exact definition. 

^Technically we also need Unruh's lifting theorem [14] for this statement to be abso- 



lutely correct, see lFootnote 31 
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2 UC security 



The UC framework is a very general method allowing arbitrary multipartite 
cryptographic protocols to be represented and analyzed. Here we focus only 
on the elements needed for our analysis of information-theoretic authenti- 
cation. In particular, we do not need to model corruption or consider the 
running time of the adversary or environment. For a complete treatment of 
UC security we refer to [S] and [H] for the classical and quantum settings 
respectively. 

The essence of UC security is to compare the real situation — involving 
players following the given protocol and an active adversary — to some ideal 
process. If the two cannot be distinguished by the environment — in partic- 
ular, if the adversary cannot achieve something which is impossible within 
the ideal process — then one can be substituted for the other in any setting. 
For example, if a key distribution protocol is indistinguishable from the ideal 
setting in which the parties receive a perfect key from a trusted source, then 
any encryption protocol that is secure with a perfect key is also secure when 
this key distribution protocol is used instead, i.e., the two protocols can be 
composed. This gives rise to the universal composition theorem: any two 
protocols which are UC secure can be concurrently composed and remain 
secure. 

More precisely, for every task considered we need to define some ideal 
functionality 3", which takes all the inputs from the parties and performs 
the desired task in an ideal way. For example, in the case of authentication 
analyzed in [Section 31 it is always possible for an adversary to cut or jumble 
the line, making sure the original message is not received. The ideal func- 
tionality can thus at best guarantee that the receiver gets either the original 
message or an error. It receives a message x from the sender and either a 
block or a let through command from the adversary, and then delivers x 
to the receiver or produces an error message depending on the adversary's 
choice. 

The environment Z is allowed to choose the inputs given to every party, 
receives all outputs and can communicate freely throughout the protocol 
with the adversary A. Since the communication between the adversary 
and the ideal functionality 3" is different from when he interacts with the 
real players, he could immediately alert the environment Z of this. In the 
ideal process we therefore replace ^1 by a simulator S, which can be seen 
as a buffer between the environment and the ideal functionality. S often 
internally simulates A, from which it gets its name. 

Definition 2.1 (UC security [9j). A protocol vr e-UC-realizes the ideal func- 
tionality 3", or, more succinctly, is e-UC-secure, if for all adversaries A there 
exists a simulator S for which no environment 2. can distinguish with proba- 
bility more than e if it is interacting with A and players running vr or S and 
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players using the ideal functionality 3". 



We illustrate this for the case of authentication in [Figured 
The above definition can in fact be simplified [9]: it is sufficient to con- 
sider a dummy adversary that forwards all messages to the environment and 
lets it decide what responses to send. Security against all other adversaries 
holds if it holds for the dummy adversary. In the next sections we therefore 
restrict our proofs to the dummy adversary. 

The main composability theorem can now be stated: 

Theorem 2.2 (Universal composition [9j). Let it and p he two protocols 
such that p £i-UC-realizes 3" and tt^ e2-UC-realizes S when using J as a 
subroutine. Then tt^ (ei + e2)-UC-realizes 9 when using p as a subroutine. 



3 Standard authentication 

Information-theoretic authentication is usually considered in a setting where 
two players and 72 share a secret key k G IC and are connected by a 
channel under the control of an adversary. They wish to guarantee that a 
message received by CP2 claiming to come from player !Pi was neither gen- 
erated nor altered by the adversary. These two types of attacks are often 
called impersonation and substitution. 

For any protocol which encodes a message by appending a tag, i.e., sends 
y = {x, t) when the message is x, security against impersonation attacks 
follows from security against substitution attacks. Since this is the only kind 
of protocol that we are concerned with, we only consider security against 



substitution attacks in the body of this paper, and refer to Appendix B for 
the proof of this reduction. 

In lSection 3.1l we define UC security for authentication, and in lSection 3.21 
we describe a secure authentication protocol, the proof of which is given in 



in Appendix A 



3.1 Security 

To send a message x, CPi uses the key k to generate a new message y con- 
taining some redundancy, e.g., y = {x,hk{x)) where {/ifelfegA: is a family of 
hash functions. Upon receiving y' , 'J'2 checks whether it is valid given the 
key k, and if so, outputs the corresponding x'. In the previous example 
with y' = (x' , t'), IP2 checks that t' = hk{x') and accepts x' if this is the case 
or produces an error _L otherwise. This protocol is depicted on the left in 
Figure l| 

Since the channel is completely under the control of the adversary, he 
can always cut it or completely jumble the message. Hence in the ideal case 

®The function y = fk{x) has to be injective to guarantee the uniqueness of x' . 
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Figure 1 - On the left: the real situation. Players Ti and J'2 run the au- 
thentication protocol using their shared key k. The output of 72 is either an 
error _L if he detected some cheating, or the message x' which might or might 
not be equal to the input x. On the right: the ideal situation. Some ideal 
functionality J either gives J'2 the original message x or an error _L depending 
on the decision of the simulator S. 



it is not possible to guarantee that the original message is received, only that 
7 2 is not tricked into accepting a falsified message. The ideal functionality 3" 
for authentication can be seen as a perfect channel with a switch controlled 
by the adversary: he can either switch it on and let the message through, 
or switch it off and let it produce an error. This is depicted on the right in 
Figure 1 

An authentication scheme is then e-UC-secure if the environment Z can- 
not distinguish between these two situations. To get a more concrete security 
criterion, we need to define the simulator's actions in the case of the dummy 
adversary A, who simply forwards y io Z and forwards the response y' to 
72. 

After receiving the message x from the ideal functionality 3", the simula- 
tor § must send some y to Z. To do so, it picks a key k € IC uniformly at 
random and runs the same protocol as IPi to generate y. When it gets y' 
from Z, it checks whether y = y' and sends either ok or _L to 3". Note that 
this simulator always accepts if the message was not modified, i.e., the ideal 
case has perfect robustness. 

Let X be the random variable describing the initial message x £ X, Y 
the corresponding encoding generated by CPi in the real case and S in the 
ideal case, and Y' the response from Z. Let X and X be random variables 
over the alphabet U {_L} describing the outputs of IP2 in the real and ideal 
cases respectively. In the real case 2, has access to the joint random variable 
XYY'X and in the ideal case it sees XYY'X. An authentication scheme is 
then e-UC-secure if for any X and Y' chosen by Z, the statistical distance 
between the real and ideal cases satisfies 

x,y,y' ,x' 
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3.2 Protocol 



To satisfy Eq. (1) it is sufficient to use a family of strongly universal2 hash 
functions {hk}keK. and define y := {x,hk{x)) with the key k distributed 
uniformly over /C. Then, as described above, CP2 checks that t' = hk{x') for 
the y' = (x', t') he receives, and accepts x' if this is the case or produces an 
error _L otherwise. 



Definition 3.1 (strongly universal2 hash function ^2pl ). A family of hash 
functions {hk ■ X — T}k€K is said to be e-almost strongly universal2 {e- 
ASU2) if for k chosen uniformly at random and all xi,X2 G X with xi ^ X2 
and all ti,t2 € T, 

Pr [hkixi) = ti and /ifc(x2) = ^2] < (2) 
We give the proof that e-ASU2 hashing results in an authentication 



scheme that is e-UC-secure in Appendix A 



4 Authentication with key recychng 

If we wish to authenticate many messages and we use the protocol from 
[Section "31 a new hash function and therefore a (completely) new key must 
be used in every round. This is however not necessary: as we show in 
[Section 4.21 part of the key used to choose the hash function is e-close to 
uniform from the point of view of the environment, and can therefore be 
recycled for further use. Before proving this, we first model this new protocol 
and its ideal functionality in [Section 4.11 

Like for standard authentication analyzed in [Section 3\ we consider only 
substitution attacks here, in which the adversary modifies a valid message 



and tag. For impersonation attacks we refer to Appendix B 



4.1 Security 

To model the key recycling, we must view this recycled key as an extra 
output of the protocol. An authentication scheme with key recycling can be 
seen as a combination of a key distribution protocol — which only has one 
output, a secret key — and an authentication scheme — which only has one 
output, a message. For simplicity we also split the ideal secret key shared by 
the two players in two parts, k = {ki, k2), one which is recycled, ki, and one 
which is consumed, k2- The rest of the model is the same as for standard 
authentication described in [Section 3.11 uses the shared key (/ci,/c2) to 

^The more common definition of strongly universal2 hashing I5][31[71[TS] has an extra 
condition, namely that for all x £ X and t £ T, Pr [hk (x) — t] = ■ This is however not 
a necessary condition to prove the security of authentication, so we omit it. 
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Figure 2 - On the left: the real situation. Players Ti and J'2 run the au- 
thentication protocol using their shared keys ki,k2- They both output ki for 
recycling and ^2 additionally produces either an error ± if he detected some 
cheating, or the message x' which might or might not be equal to the input 
X. On the right: the ideal situation. Some ideal functionality 3^ generates a 
perfect key ki and additionally either gives 0^2 the original message x or an 
error _L depending on the decision of the simulator §. 



generate a new message y containing some redundancy, CP2 checks that y' is 
a valid message given {ki,k2) and accepts the corresponding x' if that is the 
case. This is depicted on the left in [Figure 2] 

In the ideal case, the ideal functionality 3~ generates a new secret key fci, 
which is therefore perfectly uniform and independent from the environment. 
The rest is identical to standard authentication. The ideal functionality 
also sends either the original message x or an error _L to J'2 depending on 
the decision of the simulator S. The simulator § for the dummy adversary 
generates its own local keys ki and k2 and runs the same protocol as CPi 
to generate y. Upon receiving y' from the environment it checks whether 
y' = y and sends either ok or _L to 3". Here too, the simulator always accepts 
if the message was not modified, i.e., the ideal case has perfect robustness. 



This is depicted on the right in Figure 2 



Let X be the random variable describing the initial message x ^ X, Y 
the corresponding encoding generated by Ti in the real case and S in the 
ideal case, and Y' the response from Z. Let X and X be random variables 
over the alphabet A^U {_L} describing the outputs of T2 in the real and ideal 
cases respectively. And finally let K and K be the random variables for the 
distribution of ki in the real and ideal cases respectively. Thus, in the real 
case Z has access to the joint random variable XYY'XK and in the ideal 
case it sees XYY'XK. An authentication scheme is then e-UC-secure if for 
any X and Y' chosen by 2,, the statistical distance between the real and 
ideal cases satisfies 

^ ^ |^xyy'Xi?(^'y'y''^''^i) --fxyy'xx(^'y'y''^''^i)| - ^- (3) 

x,y,y',x',ki 
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4.2 Protocol 



The protocols we wish to analyze in this setting encode a message x as 
y = (x, /ifci (x) © /C2), where {/ife^ : X — T}kieK. is a family of hash functions 
that map the message to some bit string t £ T = {0, 1}"*, k2 £ T and ® is 
the bitwise XOR. Then, as described above, J'2 checks that t' = hk^{x') © ^2 
for the y' = {x' , t') he receives, and accepts x' if this is the case or produces 
an error _L otherwise. 

These hash functions do not need to be e-ASU2, it is sufficient for 
9ki,k2{x) = hkiix) © /c2 to have this property. The property needed for 
{hki}kieK has been dubbed e-almost XOR universal by Rogaway [6], e-otp 
secure by Krawczyk [HIS]) and e-A universal by Stinson [19] H 

Definition 4.1 (XOR universal2 hash function [6j). A family of hash func- 
tions {/ifc : X —7- T}keK. for T = {0, l}'" is said to be e-almost XOR 
universal2 (e-AXU2) if for k chosen uniformly at random and all xi,X2 G X 
with xi 7^ X2 and all t € T, 

Pr[hk{xi)®hk{x2) = t] <e. (4) 

It is immediate from this definition that the hash function Qk^M^-'^) ■~ 
hki{x) @ k2 is e-ASU2, i.e., for all xi,X2 £ X with xi 7^ X2 and all ti,t2 G T, 

Pr [dkiMi^i) = *i and gk^,k2ix2) = ^2] < jyj- 

Since XORing a uniform string k2 to any value yields a uniform string we 
also have 

Pi' bfci,fc2(2;i) = h] = Pr 

where -ftT is the random variable for the recycled part of the key. Combining 
the two equations above gives 

Pr [gkiMi^^] = t2\gkuk2i^i) = *i] ^ ^- (6) 

We now have all the ingredients needed to prove the security. 

Theorem 4.2. Let tt be an authentication scheme that encodes a message 
X as y = {x,hk^{x) © k2) and recycles ki, where {hk^ ■ X — )• T}kx&K a 
family of e-almost XOR universal hash functions, and {ki,k2) are chosen 
uniformly at random from /C x T. Then vr is e-UC-secure. 

*Stinson [TS] generalizes this notion to any additive abelian group T instead of only 
bit strings. 



K = k. 



i 



(5) 
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Proof. We need to show that Eq. (3) is satisfied for any distributions Px 
and Py- First, for y = {x,t), if the environment chooses y' = {x,t'), then 
the real and ideal protocols both either accept x if t' = t oi reject it if t' ^ t. 
This means that 

-^X\XYY' l-^ 1 {-^ 1 1 i-^ J ^ )) ~ -^XIXYY' ^'^ 1"^' (''^' {■^J^ )) 

_ Jo ifx' ^ ±XORt' ^t, 
~ [1 if x' = ± XOR t' = t, 

hence X and X are completely determined by XYY' and can be dropped. 
The LHS of |Eq. (3) thus reduces to 

1 



I PxYY'{x,{x,t),{x,t')) 



2 

x,t,t' ,ki 



Furthermore, from Eq. (5) we know that K is independent from XY, and 
therefore also from XYY', hence Px\xyy'(^'^\^^ (^)0> {^j'^')) = J^■ We can 
thus assume w.l.o.g. that the adversary chooses x' ^ x. 

For y' = {x',t') and x' ^ x, the random variable X can take two values, 
± if cheating was detected or x' if the players were fooled. X however always 
produces an error _L. Separating the summation in the LHS of Eq. (3) over 
these two values gives 



^ Y PxYY'{x,{x,t),{x',t')) 

+ ^ ^xyy'Xi^(2^'(^'*)'(^''*')>a;'>^i)- (7) 

x,t,x' ,t' ,ki 

We show in the following that 



PxK\XYY'i^^ki\x,{x,t),{x',t')) < (8) 



1 

1^1 



for all values of x, t, x', t', ki. This implies that Eq. (7) sums up to twice the 
value of the second term, i.e., 

^ ^ -PYyy/j^j^(x, (X, t), (X , t ), X , /Cl) 

= Yl PxYY'ix,ix,t),ix',t'))YPxK\ 

X ^x ^1 

= Y PxYY'{x,{x,t),{x',t'))Pj^^^yy,{x'\x,{x,t),{x',t')) 
x,t,x',t' 

- Y PxYY'{x,{x,t),{x',t'))e = e, 
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where to reach the last Une we used 



P£|^yy,(x'|x, {x,t), {x',t')) = Pr [/ifci (x') e /C2 = t'\hk^{x) /c2 = t] 



and Eq. (6) 



Finally, we show that Eq. (8) holds. The LHS can be decomposed as 



P 



XK 



j^yy/(_L, kl\x,{x,t),{x ,1)) 



\XYY' (^1 1^) (^1 (-^ ' ^ ))-^x|xyy'_fsr(-'-l'^' (■^j (-^ > ^ )i ^i)- (9) 



Because {x',t') are chosen by the environment when holding {x,t), they do 
not influence the distribution of K given XY, so 



ixyy (^1 1"^' (•^' (-^ ' O) ~ Pr\xy(^^ I**"' (•^' 0)- 



And as argued above in the case where x' = x, from Eq. (5) we know that 
K is independent from XY, so P^|j^y (/ci |x, (x, t)) = p^. Combining this 



with P^|j5^yy,^(±|x, (x, t), (x', t'), /ci) < 1 and Eq. (9) proves Eq. (8) □ 



5 Secret key leakage 

An immediate application of the UC security of authentication with key 
recycling is to reuse the same hash function to authenticate multiple mes- 
sages, only renewing the part of the key XORed to the tag. The universal 
composition theorem (jTheorem 2.2\i says that if we do this i times and each 
individual protocol is e-UC-secure, then the composed protocol has error at 
most 

In this section we show that this composition theorem is tight for all 
protocols with e = 1/|T|, where T is the alphabet for the tag, i.e., there 
exists an attack such that after I rounds the adversary has probability at 
least ie of having successfully forged a message, for any £ < 1/e. 

Let us define {F^}^ to be a sequence of random variables taking the 
value 1 if the adversary successfully falsifies a message in any of the first £ 
rounds, and otherwise. Then a quick calculation shows us that for any 
< £ < 1/e - 1, 

p _ Pf,+^W-Pf,^M'^,1) _ {£ + l)e-£e _ e 
^^^+^1^^^^'°^ P^) l-£e - Y^e 

This means that in every successive round, the adversary's probability of 
successfully forging a message increases. This happens because — as we show 
in [Theorem 5.11 here below — some information about the hash function is 
leaked in every round — even if the key used for the OTP is perfectly 



^We illustrate this application of the composition theorem in I Section 61 
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uniform — and the entropy of the hash function gradually decreases, until 
the adversary has enough information to successfully falsify a new message 
with probability 1. 

This result contrasts strongly with the non-composable analysis found 
in [1]. There, the adversary simply collects the pairs of messages and tags 
(xi,ti), {x2,t2), • • • , and attempts to falsify a message in each round, inde- 
pendently from the attempts in previous rounds. In this case, due to the 
hiding property of the OTP, the distribution of the hash function always 
remains perfectly uniform given these message-tag pairs. 

Theorem 5.1. Let tt be an authentication scheme that encodes a message 
X as y = © /C2) and recycles ki, where {hk^ : X — T}kieK. is a 

family of p^-a/mosi XOR universal hash functions. For any 1 < £ < \T\, 
let this protocol be used i times with the same key /ci € /C initially chosen 
uniformly at random, and a new uniformly random k2 € T in each round. 
Then, there exists an attack such that after £ rounds. 



where K represents the choice ofki and Zi consists of all the inputs and out- 
puts of the protocol ( except for K ) and the communication with the dummy 
adversary from these £ rounds. Furthermore, the adversary has probability 
at least £/\T\ of successfully falsifying one of the first £ messages. 

Proof. Since the environment can choose the distribution of the messages 
to be authenticated in the £ rounds, we take them to always be the same 
message x. The environment also always substitutes the same message x' 7^ 
X for x in each round. To be successful, it needs to guess correctly the value 
c = hk^{x) © /ifc^(x'), since t' = t (B c, where t is the tag that comes with x 
and t' is the correct tag for x' . The environment therefore makes a list of 
the |T| possible values for c, and in each round eliminates one from its list. 

In the first round the environment is given by the dummy adver- 

sary. It picks a ci from its list and sends {x',ti © ci) back to the dummy 
adversary. The legitimate player accepts the message received from the 
adversary only if ci = hk^{x) ffi hk^{x'), which happens with probability 



If the environment is unsuccessful at falsifying the message, it can cross 
ci off its list. In the second round it then receives {x,t2), picks a new C2 7^ ci, 
and sends (x', t2 © C2). This time its success probability is p2 = (|T| — 1)""*^, 
since it only has |7~| — 1 elements c left on its list. 

If we repeat this for each round, the success probability in the £^^ round 
given that the previous £ — 1 were unsuccessful is p£ = {\T\ — £ + . We 
now prove by induction that the probability of successfully falsifying at least 
one message with this strategy is exactly £/\T\. Let F^ be a random variable 



H{K\Ze) < log + 1 - — log (in - £) 




PI = \T\ 



-1 
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taking the value 1 if the adversary successfuhy falsifies a message in any of 
the first i rounds, and otherwise. We have Pf^(1) = pi = 1/|T|. And if 
Pi.,_,(l) = (£-l)/|r|,then 

£-1 / 1 
Pf,{1) = Pf,_, (1) + Pf,_, (0)P£ = -r^ +1 



iri 'V \T\ ) \T\-l + l \T[ 

Let zq represent any value of in which the adversary fails to falsify 
any message, and zi be the case where he does trick the players. If he is 
successful, he immediately learns the correct value c, and thus 

H{K\Zi = zi) = \og^-^^. 

If the adversary is not successful, he has still managed to cross I values for 
c off his list, so 

i/(i^|z, = zo) = iog^(|r|-^). 

Combining the two equations above with the corresponding probabilities, 
we get 

6 Example: Layered QKD and authentication 

As illustration of the universal composition theorem (jTheorem 2.2\f we sketch 
the security proof for a composition of quantum key distribution (QKD) and 
authentication with key recycling. The two players must share an initial key 
which is long enough to select the hash function and encrypt the tags for ev- 
ery message exchanged during the first round of QKD. The recycled key and 
new key produced by the QKD protocol are then used for the authentication 
in subsequent rounds. W.l.o.g. we assume the initial key to be perfect. If the 
authentication scheme is ei-UC-secure, and is needed ^ times in each round 
of QKD, and the QKD protocol is e2-UC-secure and repeated r times, it is 
immediate from the composition theorem that the final key — the concate- 
nation of all unused secret key bits produced in each round and the recycled 
hash function — has distance at most r(fei + £2) from uniform. 

To sketch this, we first consider the composition of the I rounds of au- 
thentication with key recycling, which we illustrate in Figure 3] In the ideal 



setting, the different rounds of the ideal authentication are all independent. 
So the statistical distance between the environment's (2.) view of I rounds 
of ideal authentication and 1 — 1 rounds of ideal authentication with 1 round 
of the real protocol is at most ei. Likewise, if we compare the second and 



third lines of Figure 3 , the environment 7J can notice a difference with prob- 



ability at most El. Since Z' is simply % with an additional internal round 
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Figure 3 - The bottom line represents the environment's (2,) view of the 
composition of many rounds of an authentication protocol with key recycling. 
Each box Real contains the two legitimate players and the adversary, depicted 
separately in [Figure 2[ The recycled key fci is passed from one protocol to 
the next. The rest of the communication between the environment, players 
and adversary is stylized by the two arrows beneath the box. The top line 
represents the ideal case, in which each box Ideal contains the players, ideal 
functionality and simulator. By substituting one real protocol for an ideal one, 
the distance between the environment's views increases by at most e. 
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of authentication (which 2, can run on its own anyway), Z does not have 
an advantage greater than ei either. By repeating this reasoning and using 
the triangle inequahty for the statistical distance, we find that i rounds of 
authentication with key recycling have error at most £ei. 

Next, we look at the composition of i rounds of authentication and 1 
round of QKD. Let Ki be the key recycled by the authentication protocols, 
K2 the output of the QKD protocol, let Ki and K2 be their ideal counter- 
parts, and let and pE be the quantum states held by the environment in 
the real and ideal cases, consisting of all the information it gathered, the clas- 
sical messages, tags, falsified messages, and quantum information gleaned 
from the quantum channel. We need to show that the (trace) distancj^ 
between the real and ideal situations is bounded by £ei + 82, i.e.. 



PkikiE - PKi ® PK2 ® PE 



tr 



< fel +£2- 



(10) 



Since the composition of authentication protocols is close to ideal for all 
environments, it is in particular secure for an environment that runs a QKD 
protocol and attempts to distinguish between the real and ideal settings by 
looking at the output of the QKD protocol. Hence 



PK,k2E - PKi ® Pk2E 



tr 



<(ei, 



where K2 is the output of the QKD protocol run with the ideal authentica- 
tion. By the security definition of QKD [20], the protocol is e2-UC-secure 
if, when using an ideal authentication protocol, we have 



Pk2E - PK2 PE 



tr 



<e2. 



Combining the two equations above and the triangle inequality proves [("lO)[ 
The final step consists in showing that r rounds of QKD and authenti- 
cation has error at most r(fei + £2)- The reasoning is however identical to 
the i sequential compositions of just authentication depicted in Figure 3, so 
we omit it. 
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Appendices 

A Security proof for standard authentication 

We prove here the security of standard authentication with e-ASU2 hashing 
as defined in [Definition 3.11 Note that this proof does not need the extra 
requirement that Pr [/ifc(x) = t] = which is often part of the e-ASU2 
definition fsee IFootnote 71 on [page I}. 



Lemma A.l. Let vr be an authentication scheme that encodes a message x 
as y = {x,hk{x)), where {hk ■ X — )• T}keK: o. family of e- almost strongly 
universal hash functions, and k is chosen uniformly at random from fC. 
Then vr is e-UC-secure. 



Proof. We need to show that Eq. (1) is satisfied for any distributions Px 



and Py- Let y = {x,t) and y' = {x',t'). If the environment chooses x' = x, 
both the real protocol and ideal functionally behave identically and are indis- 
tinguishable — they both accept x t' = t and produce an error otherwise. 
We can therefore assume w.l.o.g. that x' ^ x. In this case, the simulator in 
the ideal situation always outputs an error _L, i.e., P^(_L) = 1. The security 
criterion 



(1) therefore reduces to 



x,t,x',t' 

Splitting the random variable Y = XT in its two parts, and combining 
the following equations, 

PxYY'ix, {X, t), {x',t')) = PxTY'ix, t, {x' ,t')) 

= Px{x)PTlx{t\x)PY'\XT{x', t'\x, t), 
PTlxit\x)=PT[hk{x)=t], 

-Px|XYY'(^'l^' (^'*)' (^''*')) = Pr[/ifc(a;') =t'\hk{x) = t], 
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we get 



^ Px{x)PY'\xTix' ,t'\x,t)Pr[hkix) = t and /ifc(x') = t'] 



< J2 Px{x)PY'\XT{x',t'\x,t)^ 
x,t,x',t' ' ' 

B Impersonation attacks 
B.l Security 

In an impersonation attack, the adversary (or environment in case of a 
dummy adversary) does not wait for the legitimate parties to authenticate a 
message, instead he generates his own y' before receiving any y. In the ideal 
case, the simulator then always sends an error _L to the ideal functionality 
who transmits it to J'2- 

Since no input x and corresponding y are present, the security criterion 



for standard authentication (Eq. (1)) then reduces to 



y,x 

and we say that an authentication protocol is e-UC-secure against imper- 



sonation attacks if Eq. (11) holds. 

In the case of key recycling, the decision of J'2 to accept or reject the 
message might be correlated to the key ki, i.e., the random variables X and 
K can be correlated. It is therefore important that in this setting too, the 
ideal functionality produces a new key K which is perfectly uniform and 



independent from Y'X. The corresponding security criterion (Eq. (3) ) then 
reduces to 

y,x,ki 

and we say that an authentication protocol with key recycling is e-UC-secure 



against impersonation attacks if Eq. (12) holds. 



Although these might, at first look, seem like a simplification of their 
substitution-attack counterparts, it is in fact possible to construct (artificial) 
protocols that have an impersonation error roughly twice as large as the 
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substitution error I I However, in the special case where the encoding of 
the message x is of the form y = {x,t), we show in the following section 
that security against impersonation attacks follows from security against 
substitution attacks. 



B.2 Reduction to substitution attacks 

Lemma B.l. Let vr be an authentication scheme (with or without key recy- 
cling) that encodes a message x as y = {x,t). If tt is e-UC-secure (against 
substitution attacks), then it is also e-UC-secure against impersonation at- 
tacks. 

We prove this statement for a scheme with key recycling. The proof 
when no recycling is performed is identical except for the omission of the 
random variables K and K. 

Proof. If 

2 Y |^y'Xi?(y>a;,A;i) -P^,^^(y,x,A:i)| > e, 

y,x,k\ 

then there exists a specific y' = {x',t') for which 



\ J2 \^XK\Y' (^^ ^1 - PxK\Y' ^1 \y') 

x,ki 



> e. 



So w.l.o.g. we can take Py'iy') = 1. 

In the case of a substitution attack, the environment chooses any distri- 
bution Px such that Px{x') = 0. Then upon receiving y it sends y' = {x', t'). 
In the ideal case, the simulator and ideal functionality therefore always trans- 
mit an error, and in the real case IP2 accepts the message x' with the same 
probability as for the impersonation attack. So -P^j^iy/ and Pxx\Y' ^^ave ex- 
actly the same distributions in the cases of substitution and impersonation 
attacks. Hence 



2 

x,y,y',x,ki 



2 

y',x,ki 



"Let {hk : {0, 1} {0, 1}™}*= be a set of functions such that for aU k, hk{0) = 0", and 1 
is uniformly mapped (over the choice of k) to aU t £ {0, 1}'"\{0'"}. Let the authentication 
protocol encode the message x £ {0, 1} as {x(Bki, {x(Bk\)). If the environment performs 
an impersonation attack by sending the message y — (0,0™), this will be accepted with 
probability 1. If the environment performs a substitution attack, he first has to choose a 
message x, then receives the corresponding y from the dummy adversary, and has to choose 
a new y' 7^ y. For all x, with probability 1/2 the corresponding encoding is y = (0,0™), 
and so the impersonation attack outlined above works only with probability 1/2. 
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B.3 Tighter bound 



The bound on the impersonation error from lLemma B.ll is not always tight. 
In particular, in the case of the authentication protocol with key recycling 
given in [Section 4.21 it is possible to get a better result. Due to the tight 
bound in Eq. (5) we find that this scheme is -p^-UC-secure against imper- 
sonation attacks. 

Lemma B.2. Let vr be an authentication scheme that encodes a message x as 
y = (x, /ifc^ (x) 0^2) CLnd recycles ki, where {hk^ : X — > T}kieic is a family of 
e-almost XOR universah, hash functions, and (fei,/c2) are chosen uniformly 
at random from IC x T. Then vr is -^^-UC-secure against impersonation 
attacks. 



Proof. We need to show that for all distributions Py, Eq. (12) holds for 

e 



Since in the ideal case X = _L and K is independent from Y'X, the 



LHS of |Eq. (12)1 reduces to 
- PY'ix,t) 



(13) 



And because from Eq. (5) 
P 



XK\Y' ^1 1'*'' ^) 



Pr 



hki (x) (Bk2=t and K = k\ 



PK{ki)Pr hk^{x)®k2 



K = h 



Eq. (13) is equal to -p^. 



□ 



Note that in the case of standard authentication with e-ASU2 hashing, if 
we had made the extra assumption that Pr [hk{x) = t\ = (see lFootnote 71 

page 7), we would also have found that the corresponding scheme is 



on 



UC-secure against impersonation attacks. However, from Eq. (2) alone, we 
can at best get the bound 

Pr [hk{x) = = ^ Pr [hk{x) = t and hk{x') = t'] < e, 



which only guarantees that the scheme is e-UC-secure against impersonation 
attacks. 
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